Hi there,
I tried to configure Keycloak to authenticate against Windows Active
Directory using Kerberos credentials.
But I keep getting an Exception.
Setup is as follows:
I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final.
In addition I installed freeipa-client and added a /etc/krb5.conf file as
well as my keytab file.
But when I configure Kerberos as required in the browser flow, I get the
following Exception and the browser shows me a basic auth login dialog,
that does not allow me to log in at all.
Any ideas? How can gather more information?
13:26:25,796 INFO [stdout] (default task-64) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null
isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab
refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.
HANSEMERKUR.DE(a)HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is
false storePass is false clearPass is false
13:26:25,796 INFO [stdout] (default task-64) principal is
HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE(a)HH.HANSEMERKUR.DE
13:26:25,796 INFO [stdout] (default task-64) Will use keytab
13:26:25,796 INFO [stdout] (default task-64) Commit Succeeded
13:26:25,796 INFO [stdout] (default task-64)
13:19:24,501 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-47) SPNEGO login failed: java.security.PrivilegedActionException:
GSSException: Defective token detected (Mechanism level: GSSHeader did not
find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(
SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(
LDAPStorageProvider.java:542)
at org.keycloak.credential.UserCredentialStoreManager.authenticate(
UserCredentialStoreManager.java:323)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.
authenticate(SpnegoAuthenticator.java:90)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
DefaultAuthenticationFlow.java:184)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(
AuthenticationProcessor.java:792)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(
AuthenticationProcessor.java:667)
at org.keycloak.protocol.AuthorizationEndpointBase.
handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.
buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(
AuthorizationEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(
ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHand
ler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
er.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
er.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler
.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandle
r.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(
NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssocia
tionHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$
000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level:
GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:285)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.
establishContext(SPNEGOAuthenticator.java:172)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$
AcceptSecContext.run(SPNEGOAuthenticator.java:135)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$
AcceptSecContext.run(SPNEGOAuthenticator.java:125)
... 60 more
13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
Entering logout
13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
logged out Subject